Basic security help

[ro...@gmail.com]

Loving couch! Used it for real for the first time today for capturing
logging information from an iPhone application. Love the way I can
just use JSON to send data direct to the DB without a server side
application layer ... BUT

I need to get some basic security in place and can't figure out how to
add regular users, rather than admin users to couch. I'm running 1.0.1
by the way and have read all the documentation, which has left me
rather confused.

I can setup admin users in futon fine. However in the _users database,
the roles are empty. I thought admin users had a role of _admin? Is
this not the case??

I see no interface for setting up regular users though. What I'd like
to do is have basic http authentication so I can use that for access
to a particular database. Not uber secure, but for now it will be
better than exposing everything to everyone!

So my questions are;

1) Why do admin users have no role attached?
2) How do I create a new user that doesn't have admin rights? I just
want to allocate this user as a "reader" for the database concerned.

I think I'm confused because the sands seem to have been shifting on
this as it is all rather fluid so I can't get my head around what the
plan is for which versions! Apologies for being a bit dense about it.

Many thanks in advance!

Roger

Basic security help

[Zachary Zolton <za...@gmail.com>]

Roger,

If you want folks to be able to sign up by themselves, using nothing
but a CouchApp, you must leave the _user database readable to anyone.
For certain apps--where the users' profiles are public anyways--having
the _user DB world-readable doesn't necessarily matter.

If I didn't want the _users database to be readable, I'd create a
frontend webapp (using my favorite HTTP scripting environment at the
moment) to create users via an admin account.


Cheers,

Zach

On Wed, Nov 3, 2010 at 4:07 AM,  <ro...@gmail.com> wrote:
>> To create a normal user with a role of "reader", just PUT
>> {"name":"username","roles":["reader"]....} to
>> /_users/org.couchdb.user:username
>
> OK ... but what about the password? Is there a complete example
> anywhere of this working?
>
> I managed to stumble through it all last night by logging out and then
> using the sign up process, except that when you have security on the
> _users database (which seems prudent) you don't have any rights to
> access it because you are signed out! So in order to do it, you have
> to turn security OFF, then create the users and then remember to turn
> security back on. Seems a bit crazy no?
>
> Shouldn't Futon have the ability to create normal users and shouldn't
> this be an activity restricted to administrators?
>
> I know one can argue that you can add security via a proxy, but that
> instantly makes the whole setup doubly complicated and shouldn't be
> the default option.
>
> Roger
>

Re: Basic security help

[ro...@gmail.com]

> To create a normal user with a role of "reader", just PUT
> {"name":"username","roles":["reader"]....} to
> /_users/org.couchdb.user:username

OK ... but what about the password? Is there a complete example
anywhere of this working?

I managed to stumble through it all last night by logging out and then
using the sign up process, except that when you have security on the
_users database (which seems prudent) you don't have any rights to
access it because you are signed out! So in order to do it, you have
to turn security OFF, then create the users and then remember to turn
security back on. Seems a bit crazy no?

Shouldn't Futon have the ability to create normal users and shouldn't
this be an activity restricted to administrators?

I know one can argue that you can add security via a proxy, but that
instantly makes the whole setup doubly complicated and shouldn't be
the default option.

Roger

Re: Basic security help

[David Rose <do...@gmail.com>]

The _admins you create in futon are admins because they get written do
default.ini. They don't need to have the _admin value in doc.roles.

To create a normal user with a role of "reader", just PUT
{"name":"username","roles":["reader"]....} to
/_users/org.couchdb.user:username

doppler

On Tue, Nov 2, 2010 at 6:33 PM,  <ro...@gmail.com> wrote:
> Loving couch! Used it for real for the first time today for capturing
> logging information from an iPhone application. Love the way I can
> just use JSON to send data direct to the DB without a server side
> application layer ... BUT
>
> I need to get some basic security in place and can't figure out how to
> add regular users, rather than admin users to couch. I'm running 1.0.1
> by the way and have read all the documentation, which has left me
> rather confused.
>
> I can setup admin users in futon fine. However in the _users database,
> the roles are empty. I thought admin users had a role of _admin? Is
> this not the case??
>
> I see no interface for setting up regular users though. What I'd like
> to do is have basic http authentication so I can use that for access
> to a particular database. Not uber secure, but for now it will be
> better than exposing everything to everyone!
>
> So my questions are;
>
> 1) Why do admin users have no role attached?
> 2) How do I create a new user that doesn't have admin rights? I just
> want to allocate this user as a "reader" for the database concerned.
>
> I think I'm confused because the sands seem to have been shifting on
> this as it is all rather fluid so I can't get my head around what the
> plan is for which versions! Apologies for being a bit dense about it.
>
> Many thanks in advance!
>
> Roger
>